What is deception technology?
Deception technology is a type of cybersecurity that uses deceptive tactics, from fake network environments to honeypots and breadcrumbs like bogus credentials, to catch malicious actors and learn more about them. Unlike traditional security infrastructure, like firewalls and endpoint detection systems, deception technology does not seek to defend merely a perimeter—it uncovers any illicit activity, even if it comes from within an organization, and it does so by taking into account the human attacker’s point of view and actions in order to create an active defense. The end goal of deception is to prevent damage to a system by being better informed and prepared.
The benefits of deception technology
Deception technology can prevent attacks and issues that other solutions can’t touch. We will dive deeper into why you should use deception technology below, but here is an overview of the biggest benefits of cyber deception.
Detect attackers before there is a breach
With deception, you can find attackers and observe their movements before they have even entered your network.
No need to disrupt regular network function
Deception technology can work without touching your network systems, meaning minimum disruption to normal processes and business flow.
Eliminate false positives
Deception creates environments and data that, by definition, should not be entered or touched. That means there is an almost total reduction of false positives, noise, and dead-end alerts.
Deception can scale easily and be automated for maximum efficacy even as your organization grows and changes.
Gain threat intel specific to your organization and in real time
Deception technology doesn’t rely on generic threat intel feeds—it creates threat intel by engaging attackers, and delivers it to your security team in real time.
Works across many types of systems
Legacy system? No problem. IoT devices to protect? Deception works on those too. Cyber deception is versatile and adaptable.
Why use deception technology?
Organizations today face more daily cyber attacks than ever, and the stakes (both financial and otherwise) get higher and higher. These attacks are designed by adversaries to disrupt businesses or strategic missions and carried out using an evolving set of Tactics, Techniques and Procedures (TTPs).
Defenders continually feel that they are at a disadvantage as they need to protect their assets all the time, and in organizations which no longer have classical boundaries or perimeters, and who are adopting new technologies, business models and global partnerships at a faster rate than ever before. It’s snowballing out of control.
For the past 30 years enterprise Chief Information Security Officers and their Enterprise Security Architects, if they existed, bought and built solutions which were all about “keeping the bad guys out” in a very overt and straightforward manner, and the industry evolved through the vocabulary of IDS, IPS, Firewalls, Cryptos, Anti-virus, Security Information & Event Management (SIEM), Cyber Threat Intelligence, Cloud Access Security Brokers, Security Automation & Orchestration.
All of these technologies and approaches still deliver value and should keep about 80% of the attackers out.
What of that other estimated 20%?
Deception tools and techniques are being used more and more often to proactively protect important information assets and systems, and divert persistent adversaries to synthetic environments which engage to gather direct threat intelligence, keep them occupied and misdirect them through deception campaigns.
This is where the value of cyber deception really comes into its own as it enables defenders to design, build and operate synthetic and fake environments that fool the attackers into thinking they are accessing real production environments. As a result, they give away details of their Tactics, Techniques and Procedures (TTPs).
With this information it is possible to carry out a number of valuable defense-enhancing activities at different levels of an organization. For example:
The CISO can get detailed intelligence on real attackers and what they are interested in accessing in the business. They can use this to inform future defense posture and investments, and talk to the board and peer C-Suite executives, before any breach occurs.
Enterprise Security Architects can deploy deception to improve the protection of certain information assets – the crown jewels.
Real-time information from a deception environment can be integrated machine-to-machine in a Security Operations Centre with SIEM and Threat Intelligence Platforms to enhance triage and threat hunting disciplines.
As bad guys waste their time in fake environments, not only are your real networks safe, they may be deterred as their effort has been increased massively.
The list of potential value can be quite long – these are just a few concrete examples of how using deception technology can keep your organization safer.
Deception technology vs. honeypots
While often mistakenly used synonymously, honeypots and deception technology are not the same thing. Honeypots are tools used to attract attackers and trick them into revealing their presence and other clues about their intentions. Honeypots can be anything from data and information to services or some other resource.
The three pillars necessary for effective deception technology are:
1) Credibility: Is it believable?
2) Instrumentation / Telemetry: Are you able to gather deep data about what people are doing on the system?
3) Data Exfiltration: Are you able to bring that data home without revealing yourself, so you can do something about it?
When deception technology was limited to honeypots, it could not fulfill these three pillars to their maximum effect. Early honeypots didn’t stand up to credibility checks; even first-to-market technologies still had important credibility issues, although they improved the data gathering issue in simple honeypots.
The future of deception is the dynamic response. The deception triangle becomes three dimensional, as dynamic response capabilities allow you to shift and manipulate the environment to extract more information from your adversaries than they would normally leave.
This is something a honeypot could never do. Deception technology has evolved beyond honeypots, to a much more sophisticated tool.
What attacks can deception technology detect?
Deception technology can detect many different types of attacks, including attacks that other security measures miss. Deception technology is especially effective at detecting lateral movement and insider threat, as well as advanced, targeted attacks.
The state of deception technology today
Deception technology is still in its youth.
First-to-market deception technologies solved the data gathering issue but still have important credibility issues, making them not ideal for complex systems and high-stake networks.
CounterCraft The Platform has real IT and ActiveBehavior technology, a revolutionary way to keep honeypots and breadcrumbs from going stale. We have solved the deep data problem, thanks to a kernel-level implant that observes the actions of the adversary, which is stealthed to avoid detection. And, to top it off, we have a very well-engineered command and control infrastructure, ActiveLink, for bringing the data home in a secure and stealth way, meaning we do not give away our presence to an adversary.
The future of deception lies in a fourth axis on the deception triangle: the dynamic response. A dynamic response capability allows you to shift and manipulate the environment to extract more information from your adversaries than they would normally leave.The future of deception technology is here, and it is dynamically shaping the deception environment to elicit changes in adversary behavior and better threat intel gathering.
Deception technology techniques, tactics & tools
So, how does deception actually work?
In a nutshell, software based deception assets are designed to blend in with the standard enterprise ICT environment, and are deployed intelligently as required by the nature of the enterprise cyber defense strategy and threat landscape. The assets can be scaled to match the breadth and depth of a required deception layer, in effect offering an attractive and dynamic “attack surface” to engage multiple adversaries with targeted deception campaigns.
As adversaries engage with aspects of the deception environment, believing they are navigating the real enterprise, specific information is gathered by the assets through a combination of agentless and complex software deception agents at many levels, building a comprehensive activity trace record. In the case of CounterCraft, this information is fed to the central Deception Director, where it can be put into use.
From this central vantage point enterprise cyber defense personnel can both create and deploy deception campaigns as well as monitor in real-time the current visual status of ongoing campaigns and adversaries in different stages of an attack lifecycle.
This is an illustration of what deception can look like in action.
The taxonomy of deception tactics and techniques includes:
Hiding the truth from attackers, which relies on the following techniques:
Masking: Masking mechanisms operate by making the truth unable to be detected.
Repackaging: Repackaging mechanisms operate by mak- ing the truth appear to be something else.
Dazzling: Dazzling mechanisms operate by making the truth difficult to be distinguished from false information.1
And presenting false information as truth to attackers, which uses the following techniques:
Mimicking: Mimicking mechanisms operate by having the deceiver portray the false information in such a way that it appears to be the truth.
Inventing: Inventing mechanisms operate by creating entirely new information that appears to be truthful.
Decoying: Decoying mechanisms operate by attracting the adversaries’ attention away from the truth.
These mechanisms are then applied to different host-based, network-based, and hybrid techniques, divisions based on the attack surface.
For more about the taxonomy of deception, you can read this report.
What can deception technology do for your business?
Deception technology is one of the best tools you have to understand who is targeting your business and why. Improving knowledge of your adversaries ahead of any subsequent breach or cyber incident will give you, as a defender, the beginning of an advantage.
Deception technology provides relevant, actionable threat intelligence, which can save your security teams both time and money. It is the solution for CISOs and security teams that dream about zero false positives and accurate, specific real-time information.
Deploying deception assets across an enterprise all the way from remote internet-based cloud services through to executive mobile devices, servers, or even WiFi access points enables a context-specific threat intel capability to be built, refreshed and acted upon in real-time.
Subsequent strategic and operational decisions can then be based on real evidence – before a breach, exfiltration of data or manipulation of critical business processes has occurred.
This is not about hacking back – it is about intelligent active defense in your own corporate environment. Deception works for every business, and every sector. Check out some real-world use cases from the:
Is my business mature enough for deception?
Who can use cyber deception?
We get this question all the time. Deception technology is gaining recognition as one of the most fail-proof ways to protect against cyber attackers, and one of the only ways to detect insider threats and lateral movement. When we are approached by businesses who are interested, one of their first questions is “Am I mature enough for deception technology?”
We’ve created a free resource to help answer that very question. Our free e-book “Are You Ready for Deception Technology?” features nine pages of the valuable advice we give to organizations that approach us looking to improve their cybersecurity posture. The ebook also includes a simple quiz that will guide you to next steps.
Frequently asked questions
What is decoy technology?
Decoy technology is typically used to refer to deception technology. Although it is not a particularly common term, the two terms are generally used synonymously.
What cybersecurity threat uses deception tactics?
Sometimes cybersecurity threat actors themselves resort to deception. An example of this is when attackers recycle an IP address from another, lower-level threat actor, as in this example. This makes dangerous attackers look like a lower-priority, more common threat. This is why it’s important to use TTPs and gather real-time information on threats, and not just resort to generic IoC gathering. A Spearphishing email (the most popular attack vector) is another example— it pretends to be an innocent email, however it’s something much more sinister.
What to look for in a deception technology vendor?
Many vendors would like you to focus on scalability or other bells and whistles, but you should be asking questions about their decoys (are they unique?), their R&D levels, and the security of their platform. Read this for the top questions to ask a deception vendor.
Are honeypots still relevant?
Today, honeypots have evolved, and they still remain an important tool in the deception technology kit. However, deception technology has moved beyond the mere honeypot, and now has features that allow it to appear more credible, exfiltrate key data, and perform telemetry, and no longer in the tedious, manual manner of earlier honeypots. Read more about deception and honeypots here.
Does deception technology work against all attackers?
Deception is incredibly effective, in part because they generate known “bad” data. No one should be messing with them. So, the data they collect is clear and unequivocal. Deception can detect all types of attackers, and it works far better than other security measures for lateral movement and insider threat attacks.
What organizations use deception technology?
Cyber deception is still evolving, having been first deployed substantially in the military and intelligence communities, but over the past decade it has begun to be adjusted and evolved to be a new approach in enterprise cyber defense programmes. It has reached this stage due to the increasingly complex and growing threat landscape with cyber adversaries, many focused on cyber crime, are finding new ways of accessing corporate information systems and stealing intellectual property and misappropriating money. Now organizations of all types use deception technology, from digital and physical store-based retail giants to bitcoin vendors and traditional banks.
What is MITRE ATT&CK and MITRE Shield?
MITRE ATT&CK® is a framework that catalogs adversary behavior and is widely used throughout the cybersecurity industry. Mitre Shield is a free knowledge base of common techniques and tactics that can help experts take proactive steps to defend their networks and assets. Read about how MITRE is used for active defense here.
Are you ready for deception?
Wondering if deception is right for your organization? This ebook will give you everything you need to know to make an informed decision. Download it today to discover if you are ready for deception technology.
Nine pages designed to explain deception readiness.
- A quiz to help you assess next steps.
- An overview of low, medium and high maturity business profiles.
- Contact information to get an in-person assessment if you desire.